Google to revoke GMail access from non-secured apps starting Feb 2019

Executive summary

Google is strengthening security requirements for 3rd party apps using GMail API, revoking access to GMail API on February 22nd, 2019. To continue using GMail API, apps have to pass a permitted use review and a cyber-security assessment. A 3rd party software security expert organization has to be hired to conduct technical security reviews, and generate audit materials for submission to Google assessors.

What’s going on?

Following a Google+ security breach, to protect it’s business, Google shared an update to GMail user data policy and announced a forthcoming new policy requiring all apps using Google API (specifically, GMail API) to pass a permitted use review and a technical cyber-security assessment.

Who’s affected?

All applications using using Google API – web, mobile, and native – that operate on non-GSuite accounts (i.e. @gmail.com), fall under the new rules.

More specifically, these rules apply on a per-Client ID basis, and separate reviews need to be conducted for each Google Client ID a company uses.

To understand if your app is affected by these new rules, below are the specific covered Gmail API Scopes (the “Restricted Scopes”):

How to comply?

Google laid out 2 sets of requirements, with differing deadlines.

Permitted use review – Feb 15, 2019 deadline

This review will be done by Google based on developer provided documentation and Google’s own review of the application. Specific policies that a developer needs to ensure they meet and document are:

2. How Data May Not Be Used: User data must be used to provide user-facing features and may not be transferred or sold for other purposes.

3. Security: It is critical that 3rd-party apps handling Gmail data meet minimum security standards to minimize the risk of data breach. Apps will be asked to demonstrate secure data handling with a number of different assessments (see “Cyber-security assessment” below).

4. Accessing Only Information You Need: During application review, we will be tightening compliance with our existing policy on limiting API access to only the information necessary to implement your application.

Who can help?

Google estimates the reviews performed by their dedicated assessor to cost between $15,000 and $75,000 (or more), which is about 3 times more than such engagements usually cost – it pays to be “Google approved” assessor.

However, you don’t have to shell out this much to get compliant. Per Google’s own publication:

If your app has completed a similar security assessment, you will be able to provide a letter of assessment to the assessor as an alternative.

How not to break the bank?

In order to optimize the expenses of getting apps compliant with the new Google’s rules, SoftSeq has developed internal procedures and materials. Being specifically targeted at the new GMail API security policy, they can be reused across engagements and presented to Google’s assessors, significantly lowering compliance costs.

This service comes with a guarantee – should Google’s security assessors require additional security work to be done, that wasn’t initially scoped by SoftSeq, it will be performed free of charge.